CVE-2024-8256 (GCVE-0-2024-8256)
Vulnerability from cvelistv5 – Published: 2024-12-10 08:56 – Updated: 2024-12-10 15:35
VLAI?
Title
Incorrect Permission Assignment in RutOS based routers and TSWOS based managed switches
Summary
In Teltonika Networks RUTOS devices, running on versions 7.0 to 7.8 (excluding) and TSWOS devices running on versions 1.0 to 1.3 (excluding), due to incorrect permission handling a vulnerability exists which allows a lower privileged user with default permissions to access critical device resources via the API.
Severity ?
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Teltonika Networks | RUTOS |
Affected:
7.0 , < 7.8
(custom)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:teltonika-networks:rutos_devices:7.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "rutos_devices",
"vendor": "teltonika-networks",
"versions": [
{
"lessThan": "7.8",
"status": "affected",
"version": "7.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:teltonika-networks:tswos:1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "tswos",
"vendor": "teltonika-networks",
"versions": [
{
"lessThan": "1.3",
"status": "affected",
"version": "1.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8256",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-10T15:32:26.176120Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T15:35:59.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "RUTOS",
"vendor": "Teltonika Networks",
"versions": [
{
"lessThan": "7.8",
"status": "affected",
"version": "7.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TSWOS",
"vendor": "Teltonika Networks",
"versions": [
{
"lessThan": "1.3",
"status": "affected",
"version": "1.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Teltonika Networks RUTOS devices, running on versions 7.0 to 7.8 (excluding) and TSWOS devices running on versions 1.0 to 1.3 (excluding), due to incorrect permission handling a vulnerability exists which allows a lower privileged user with default permissions to access critical device resources via the API."
}
],
"value": "In Teltonika Networks RUTOS devices, running on versions 7.0 to 7.8 (excluding) and TSWOS devices running on versions 1.0 to 1.3 (excluding), due to incorrect permission handling a vulnerability exists which allows a lower privileged user with default permissions to access critical device resources via the API."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T08:56:55.195Z",
"orgId": "001d69cf-3fc9-4203-93fb-9865b54e05b2",
"shortName": "tlt_net"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.deepcove.support/teltonika-responsible-disclosure-proactive-testing-report/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Incorrect Permission Assignment in RutOS based routers and TSWOS based managed switches",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "001d69cf-3fc9-4203-93fb-9865b54e05b2",
"assignerShortName": "tlt_net",
"cveId": "CVE-2024-8256",
"datePublished": "2024-12-10T08:56:55.195Z",
"dateReserved": "2024-08-28T05:26:25.399Z",
"dateUpdated": "2024-12-10T15:35:59.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"In Teltonika Networks RUTOS devices, running on versions 7.0 to 7.8 (excluding) and TSWOS devices running on versions 1.0 to 1.3 (excluding), due to incorrect permission handling a vulnerability exists which allows a lower privileged user with default permissions to access critical device resources via the API.\"}, {\"lang\": \"es\", \"value\": \"En los dispositivos RUTOS de Teltonika Networks que se ejecutan en las versiones 7.0 a 7.8 (excluidas) y en los dispositivos TSWOS que se ejecutan en las versiones 1.0 a 1.3 (excluidas), debido al manejo incorrecto de permisos existe una vulnerabilidad que permite que un usuario con menos privilegios y permisos predeterminados acceda a recursos cr\\u00edticos del dispositivo a trav\\u00e9s de la API.\"}]",
"id": "CVE-2024-8256",
"lastModified": "2024-12-10T09:15:06.190",
"metrics": "{\"cvssMetricV40\": [{\"source\": \"001d69cf-3fc9-4203-93fb-9865b54e05b2\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"4.0\", \"vectorString\": \"CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"ADJACENT\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"vulnerableSystemConfidentiality\": \"HIGH\", \"vulnerableSystemIntegrity\": \"NONE\", \"vulnerableSystemAvailability\": \"NONE\", \"subsequentSystemConfidentiality\": \"NONE\", \"subsequentSystemIntegrity\": \"NONE\", \"subsequentSystemAvailability\": \"NONE\", \"exploitMaturity\": \"NOT_DEFINED\", \"confidentialityRequirements\": \"NOT_DEFINED\", \"integrityRequirements\": \"NOT_DEFINED\", \"availabilityRequirements\": \"NOT_DEFINED\", \"modifiedAttackVector\": \"NOT_DEFINED\", \"modifiedAttackComplexity\": \"NOT_DEFINED\", \"modifiedAttackRequirements\": \"NOT_DEFINED\", \"modifiedPrivilegesRequired\": \"NOT_DEFINED\", \"modifiedUserInteraction\": \"NOT_DEFINED\", \"modifiedVulnerableSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedVulnerableSystemIntegrity\": \"NOT_DEFINED\", \"modifiedVulnerableSystemAvailability\": \"NOT_DEFINED\", \"modifiedSubsequentSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedSubsequentSystemIntegrity\": \"NOT_DEFINED\", \"modifiedSubsequentSystemAvailability\": \"NOT_DEFINED\", \"safety\": \"NOT_DEFINED\", \"automatable\": \"NOT_DEFINED\", \"recovery\": \"NOT_DEFINED\", \"valueDensity\": \"NOT_DEFINED\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\"}}]}",
"published": "2024-12-10T09:15:06.190",
"references": "[{\"url\": \"https://www.deepcove.support/teltonika-responsible-disclosure-proactive-testing-report/\", \"source\": \"001d69cf-3fc9-4203-93fb-9865b54e05b2\"}]",
"sourceIdentifier": "001d69cf-3fc9-4203-93fb-9865b54e05b2",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"001d69cf-3fc9-4203-93fb-9865b54e05b2\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-732\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-8256\",\"sourceIdentifier\":\"001d69cf-3fc9-4203-93fb-9865b54e05b2\",\"published\":\"2024-12-10T09:15:06.190\",\"lastModified\":\"2024-12-10T09:15:06.190\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Teltonika Networks RUTOS devices, running on versions 7.0 to 7.8 (excluding) and TSWOS devices running on versions 1.0 to 1.3 (excluding), due to incorrect permission handling a vulnerability exists which allows a lower privileged user with default permissions to access critical device resources via the API.\"},{\"lang\":\"es\",\"value\":\"En los dispositivos RUTOS de Teltonika Networks que se ejecutan en las versiones 7.0 a 7.8 (excluidas) y en los dispositivos TSWOS que se ejecutan en las versiones 1.0 a 1.3 (excluidas), debido al manejo incorrecto de permisos existe una vulnerabilidad que permite que un usuario con menos privilegios y permisos predeterminados acceda a recursos cr\u00edticos del dispositivo a trav\u00e9s de la API.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"001d69cf-3fc9-4203-93fb-9865b54e05b2\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"001d69cf-3fc9-4203-93fb-9865b54e05b2\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-732\"}]}],\"references\":[{\"url\":\"https://www.deepcove.support/teltonika-responsible-disclosure-proactive-testing-report/\",\"source\":\"001d69cf-3fc9-4203-93fb-9865b54e05b2\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-8256\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-10T15:32:26.176120Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:teltonika-networks:rutos_devices:7.0:*:*:*:*:*:*:*\"], \"vendor\": \"teltonika-networks\", \"product\": \"rutos_devices\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0\", \"lessThan\": \"7.8\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:2.3:a:teltonika-networks:tswos:1.0:*:*:*:*:*:*:*\"], \"vendor\": \"teltonika-networks\", \"product\": \"tswos\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0\", \"lessThan\": \"1.3\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-10T15:35:51.424Z\"}}], \"cna\": {\"title\": \"Incorrect Permission Assignment in RutOS based routers and TSWOS based managed switches\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 5.9, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"ADJACENT\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Teltonika Networks\", \"product\": \"RUTOS\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0\", \"lessThan\": \"7.8\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Teltonika Networks\", \"product\": \"TSWOS\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0\", \"lessThan\": \"1.3\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.deepcove.support/teltonika-responsible-disclosure-proactive-testing-report/\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In Teltonika Networks RUTOS devices, running on versions 7.0 to 7.8 (excluding) and TSWOS devices running on versions 1.0 to 1.3 (excluding), due to incorrect permission handling a vulnerability exists which allows a lower privileged user with default permissions to access critical device resources via the API.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"In Teltonika Networks RUTOS devices, running on versions 7.0 to 7.8 (excluding) and TSWOS devices running on versions 1.0 to 1.3 (excluding), due to incorrect permission handling a vulnerability exists which allows a lower privileged user with default permissions to access critical device resources via the API.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-732\", \"description\": \"CWE-732 Incorrect Permission Assignment for Critical Resource\"}]}], \"providerMetadata\": {\"orgId\": \"001d69cf-3fc9-4203-93fb-9865b54e05b2\", \"shortName\": \"tlt_net\", \"dateUpdated\": \"2024-12-10T08:56:55.195Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-8256\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-10T15:35:59.297Z\", \"dateReserved\": \"2024-08-28T05:26:25.399Z\", \"assignerOrgId\": \"001d69cf-3fc9-4203-93fb-9865b54e05b2\", \"datePublished\": \"2024-12-10T08:56:55.195Z\", \"assignerShortName\": \"tlt_net\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…